Cyber risks will soon become bigger risks than natural catastrophes for the insurance sector, Scor Chairman and Chief Executive Officer Denis Kessler said, recommending the industry build a comprehensive, common global scale to assess cyber-related incidents.
“I dream of a kind of Richter scale for cyber security,” Kessler said at a conference on cybersecurity held at the Bank of France, referring to the scale used to measure earthquakes. “It would be very helpful to have measurement and modeling tools. Unless we can model, it’s very difficult for us to provide coverage. We have scenarios but not modeling tools.”
Cybersecurity experts and top executives in the financial sector as well as representatives from the European Central Bank, the Federal Reserve and the central banks of Canada and Japan convened in Paris to assess the risk.
ECB Executive Board Member Sabine Lautenschlaeger said it was “but a matter of time” before serious incidents would hurt the systemic sector.
To try and prepare for potential attacks, the Group of Seven — currently presided by France — will simulate a cross-border crisis next month.
“This is a world first and I am confident we will be able to learn a great deal from it,” French Finance Minister Bruno Le Maire said at the conference in Paris.
Bank of France Governor Francois Villeroy said the cybersecurity threats are a “major and systemic risk” to the financial sector as attacks are more frequent and public action on cyber attacks in the sector is “sub-optimal.” He said the crisis-simulations should be repeated to enhance the resilience of the financial system.
“The monetary impact — of attacks so far — was not so high, negligible. But I don’t feel comfortable, calm, not at all, it is a question of time, let me be very clear,” Lautenschlaeger said. She called on the financial institutions to review their information systems infrastructure, conduct stress tests and joint exercises to improve their resilience, she said.
$600 Billion a Year
While the cost of cyber risks has been small until now, the panel agreed it was only bound to increase. Kessler said the cyber risk could exceed $600 billion per year “in the worst case scenario.” That compares with the yearly cost of natural catastrophes, which he said is about $230 billion. The cyber risk “would dwarf it. So it gives you a size of the risk,” he said.
Still, “the demand for cyber risk coverage well exceeds the supply and this is an issue,” Kessler said, calling for a “re-balance” of the situation. The lack of aggregated data monitoring incidents is partly responsible for the shortage of coverage, he said. Kessler said the sector needs to coordinate and also to partner with authorities “to build databases and a taxonomy to share information,” or a common vocabulary for policy makers and companies to use in assessing cyber-related impact on the financial or industrial sector.
For Lautenschlaeger and Kessler, cybersecurity is shared responsibility and companies must invest to have better protections and understanding of the risk, they said.